Announcement

Collapse
No announcement yet.

Restrict domain admins group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict domain admins group

    I need to be able to restrict who has permissions to be able to add a user to the domain admins group. I am having issues with IT Techs here adding people to the domain admin groups when they should be granted no more then local admin rights.

    The IT techs still need to have domain admin rights though because of office politics and the way that permissions are currently assigned accross the network. Right now I am looking for any suggestions that anyone may have. And yes i know the easiest solution would be to give the least amount of rights that they need to be able to do their jobs but I do not have that option currently.
    Last edited by wiredteknologies; 24th June 2008, 17:57.
    Technology is only as good as those who use it

    My tech blog - wiredtek.wordpress.com

  • #2
    Re: Restrict domain admins group

    I'm going to stick my neck out here and say it cannot be done. If the IT Tech is a Domain Administrator, he can do anything including bypass any blocks you may discover.

    (Now I wait in trepidation while someone cleverer than me tells us how to achive the objective ... gulp! )
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Restrict domain admins group

      I dont think it can be done either, but if it can be it will make my job much easier.
      Technology is only as good as those who use it

      My tech blog - wiredtek.wordpress.com

      Comment


      • #4
        Re: Restrict domain admins group

        maybe if you temper with the Permissions on the group you could do something.

        Comment


        • #5
          Re: Restrict domain admins group

          HIGHLY stress how bad it is to have multiple Domain Admins (especially ones that aren't TECHS!). While I've seen networks where all the techs have various admin rights, there's absolutely NO business reason where someone outside of IT should have those rights! It creates WAY too many security vulnerabilities.

          99% chance that those non-IT guys w/ Domain Admin access have idiotic passwords

          Basically, I'd make a list of all of the users w/ Domain Admin access, figure out which ones NEED it (mainly part / all of the IT staff from what you've said), and then figure out why others are being given it.

          If they're being given DA access just to make IT's life easier, SLAP whomever did that in your staff!
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Restrict domain admins group

            believe me if i could there would only be 2 of us in the domain admin group. but as stated due to politics here all of the tech's have domain admin rights. And they're solution for everything when a user doesn't have enough rights is to add them to the domain admin group even though its been brought down many times that noone outside of our department is to have domain admin rights. They're just too lazy to figure out where permissions need to be applied. So my solution for this is to try and find a way so that only 2 of us can change domain admin members. I've tried time and time again to convince people here that not everyone in this department needs domain admin rights.
            Technology is only as good as those who use it

            My tech blog - wiredtek.wordpress.com

            Comment


            • #7
              Re: Restrict domain admins group

              Restricted Groups in Group Policy. Remove permissions on the GPO from "Administrators" (Deny them "Take Ownership" if you must) and create a group which is the ONLY group with permission to change that GPO. This group CANNOT be Domain Admins otherwise the "Deny" will take precedence... and to have access to GPOs in general they will have to be Group Policy Creator Owners and possibly Account Operators. You may have to create specialised user accounts which only you two can use, just to modify this policy.

              It's probably get-around-able; but it's a damn good start. The "Restricted Groups" policy simply re-applies the group membership you supply in the GPO to the groups listed in it; you list "Domain Admins" and put in who you want in. Any other DA can add to Domain Admins; but the new member will be stripped out within minutes.
              Last edited by Stonelaughter; 24th June 2008, 22:38.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: Restrict domain admins group

                Originally posted by wiredteknologies View Post
                And they're solution for everything when a user doesn't have enough rights is to add them to the domain admin group
                I have no solution but WOW...

                If I was working with monkeys like that I'd find another place to work.

                Comment


                • #9
                  Re: Restrict domain admins group

                  Hi,

                  I wish if you could place processes inplace, its not too late give proper justification to right person and implement it, otherwise BIG STICK will help you to resolve this issue.


                  Rgds

                  Comment


                  • #10
                    Re: Restrict domain admins group

                    Originally posted by wiredteknologies View Post
                    believe me if i could there would only be 2 of us in the domain admin group. but as stated due to politics here all of the tech's have domain admin rights. And they're solution for everything when a user doesn't have enough rights is to add them to the domain admin group even though its been brought down many times that noone outside of our department is to have domain admin rights. They're just too lazy to figure out where permissions need to be applied. So my solution for this is to try and find a way so that only 2 of us can change domain admin members. I've tried time and time again to convince people here that not everyone in this department needs domain admin rights.
                    Sounds like they're not doing their job then. They are purposely creating security holes in the network.
                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: Restrict domain admins group

                      So it sounds like you're banging your head against a brick wall, so take defensive action. Get something in writing, hard copy, to your boss or even someone higher up that explains the situation in non-emotive, passive terms and cover your backside that way. Then, give up on the issue! << Not my normal advice on anything, but sometimes life's too short...
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: Restrict domain admins group

                        I can't think of anyway of stopping this, but if they aren't too technical they might get baffled by Stone's suggestion of restricted groups, although that is a risk if they are gung-ho and start messing around trying to get round it!

                        All I can suggest is to monitor the group, we use MOM2005 (but others can do this, including simple scripting) so when a user is added or removed you get an instant email saying so.

                        This then limits the time they are in there and also tells you exactly "who dunnit" so you can firmly kick them all the way to a security best practice training session!

                        Topper
                        * Shamelessly mentioning "Don't forget to add reputation!"

                        Comment


                        • #13
                          Re: Restrict domain admins group

                          stone thanks for the suggestion on that, I was kind of thinking that before i started this but i didn't know if it would work for the domain admin's group. I think it would be enough to deter them from doing this, none of them have an understanding of GPO's or permissions..

                          And i have covered my backside on this but it is to the point of making my job more difficult. So I have approval from my manager to do anything on the technical side to get this done just nothing on the administrative side..

                          I will try to test stone's idea out later this afternoon and report back with what all i find.
                          Technology is only as good as those who use it

                          My tech blog - wiredtek.wordpress.com

                          Comment


                          • #14
                            Re: Restrict domain admins group

                            I couldn't get the restricted groups approach to work for some reason. But I came up with my own solution:

                            Created a group called "Non-DA change" on the domain admins group security tab in ADUC I added this group and set it up with explicit deny permissions.

                            On the Non-DA change group security tab i did the same as above.

                            In the non-da change group I added all of the technicians who should not have the ability to add members to the DA group.

                            This seems to be working so far for my test user that i have setup.
                            Technology is only as good as those who use it

                            My tech blog - wiredtek.wordpress.com

                            Comment


                            • #15
                              Re: Restrict domain admins group

                              darn AdminSDHolder gets me every time lol. here is the workaround:

                              http://technet2.microsoft.com/window....mspx?mfr=true
                              Technology is only as good as those who use it

                              My tech blog - wiredtek.wordpress.com

                              Comment

                              Working...
                              X